You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (Jira)" <ji...@apache.org> on 2021/04/08 11:01:00 UTC
[jira] [Commented] (SSHD-1154) userauth_pubkey: unsupported public
key algorithm: rsa-sha2-512
[ https://issues.apache.org/jira/browse/SSHD-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317094#comment-17317094 ]
Thomas Wolf commented on SSHD-1154:
-----------------------------------
This is the same as [Eclipse bug 572056|https://bugs.eclipse.org/bugs/show_bug.cgi?id=572056]. Should be fixed via SSHD-1105 and SSHD-1141 in current master, and in the next sshd release.
If current master doesn't work with the old openSSH 5.3 (released 2009) out of the box, then re-ordering the algorithms to place the old deprecated ssh-rsa before rsa-sha2-512 and rsa-sha2-256 is indeed the only remaining solution.
Compare also the description of the [work-arounds in EGit|https://wiki.eclipse.org/EGit/New_and_Noteworthy/5.11#Known_problems].
> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> ---------------------------------------------------------------
>
> Key: SSHD-1154
> URL: https://issues.apache.org/jira/browse/SSHD-1154
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: UmaShankar Avagadda
> Priority: Blocker
>
> *Environment details:*
> *Server OS* : CentOS release 6.9 (Final)
> $ ssh -V
>
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
>
> $ sshd -T
>
> {code:java}
> port 22
> protocol 2
> addressfamily any
> listenaddress 0.0.0.0:22
> listenaddress [::]:22
> usepam yes
> serverkeybits 1024
> logingracetime 120
> keyregenerationinterval 3600
> x11displayoffset 10
> maxauthtries 6
> maxsessions 10
> clientaliveinterval 0
> clientalivecountmax 3
> permitrootlogin yes
> ignorerhosts yes
> ignoreuserknownhosts no
> rhostsrsaauthentication no
> hostbasedauthentication no
> hostbasedusesnamefrompacketonly no
> rsaauthentication yes
> pubkeyauthentication yes
> kerberosauthentication no
> kerberosorlocalpasswd yes
> kerberosticketcleanup yes
> gssapiauthentication yes
> gssapikeyexchange no
> gssapicleanupcredentials yes
> gssapistrictacceptorcheck yes
> gssapistorecredentialsonrekey no
> gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
> passwordauthentication yes
> kbdinteractiveauthentication no
> challengeresponseauthentication no
> printmotd yes
> printlastlog yes
> x11forwarding yes
> x11uselocalhost yes
> strictmodes yes
> tcpkeepalive yes
> permitemptypasswords no
> permituserenvironment no
> uselogin no
> compression delayed
> gatewayports no
> showpatchlevel no
> usedns yes
> allowtcpforwarding yes
> allowagentforwarding yes
> useprivilegeseparation yes
> kerberosusekuserok yes
> pidfile /var/run/sshd.pid
> xauthlocation /usr/bin/xauth
> ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> banner none
> authorizedkeysfile .ssh/authorized_keys
> authorizedkeysfile2 .ssh/authorized_keys2
> loglevel DEBUG
> syslogfacility AUTHPRIV
> hostkey /etc/ssh/ssh_host_rsa_key
> hostkey /etc/ssh/ssh_host_dsa_key
> acceptenv LANG
> acceptenv LC_CTYPE
> acceptenv LC_NUMERIC
> acceptenv LC_TIME
> acceptenv LC_COLLATE
> acceptenv LC_MONETARY
> acceptenv LC_MESSAGES
> acceptenv LC_PAPER
> acceptenv LC_NAME
> acceptenv LC_ADDRESS
> acceptenv LC_TELEPHONE
> acceptenv LC_MEASUREMENT
> acceptenv LC_IDENTIFICATION
> acceptenv LC_ALL
> acceptenv LANGUAGE
> acceptenv XMODIFIERS
> subsystem sftp /usr/libexec/openssh/sftp-server
> maxstartups 10:30:100
> permittunnel no
> permitopen any{code}
> sshd-common : 2.6.0
> sshd-core : 2.6.0
> I am using Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
> I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code snippet.
> {code:java}
> String send = "HOST:" + host + " " + command;
> InputStream inputStream = new ByteArrayInputStream(send.getBytes());
> SshClient client = SshClient.setUpDefaultClient();
> client.start();
> ConnectFuture cf = client.connect(username, host, port);
> try (ClientSession session = cf.verify().getSession();) {
> session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
> session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS);
> {code}
> This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception.
> *unsupported public key algorithm: rsa-sha2-512* in sshd log
>
> {code:java}
> Caused by: org.apache.sshd.common.SshException: No more authentication methods available
> at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
> at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
> at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
> at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
> at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
> at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
> ... 70 more
> Caused by: org.apache.sshd.common.SshException: No more authentication methods available
> at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
> at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
> at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
> at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
> at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
> at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
> at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
> at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
> at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
> at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
> at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
> at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
> at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
> at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
> at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
> at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
> at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
> at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> {code}
> {code:java}
> broken-relay2:# /usr/sbin/sshd -d
> debug1: sshd version OpenSSH_5.3p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-d'
> Set /proc/self/oom_score_adj from 0 to -1000
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from X.X.X.X port 55874
> debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
> debug1: no match: APACHE-SSHD-2.6.0
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-ctr hmac-sha2-256 none
> debug1: kex: server->client aes128-ctr hmac-sha2-256 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user zimbra service ssh-connection method none
> debug1: attempt 0 failures 0
> debug1: PAM: initializing for "zimbra"
> debug1: PAM: setting PAM_RHOST to "mail.example.com"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user zimbra service ssh-connection method publickey
> debug1: attempt 1 failures 0
> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> Connection closed by X.X.X.X
> debug1: do_cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup{code}
> I found 2 solutions.
> *Solution 1:*
> I upgraded ssh on RHEL6 , it's working fine now.
> Before upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
> After upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017{code}
> *Solution 2:*
> I changed the order of *SignatureFactoriesNameList*, it's working fine now.
> Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa
> *Actual order:*
> ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*rsa-sha2-512,rsa-sha2-256,ssh-rsa*
> *Changed order:*
> ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*ssh-rsa,rsa-sha2-512,rsa-sha2-256*
>
> {code:java}
> SshClient client = SshClient.setUpDefaultClient();
> client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256");
>
> {code}
> *Solution 1* is good but not acceptable in my case, we can't ask our customers to upgrade server/system packages to make compatible with Java SSH client.
> Please let me know the *solution 2* is better approach or not, If not why and what are issues I am going to face it with this change.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org